"""Unit tests for Pydantic models and their validators."""

import tempfile
from pathlib import Path

import pytest
from pydantic import ValidationError

from app.config import Settings
from app.models.config import AddLogPathRequest


@pytest.fixture
def _mock_allowed_dirs(monkeypatch: pytest.MonkeyPatch) -> None:
    """Mock get_settings to return test settings with default allowed directories."""
    def mock_get_settings() -> Settings:
        return Settings(
            database_path=":memory:",
            fail2ban_socket="/tmp/fake.sock",
            fail2ban_config_dir="/tmp/fail2ban",
            session_secret="test-secret-key-do-not-use",
        )

    monkeypatch.setattr("app.models.config.get_settings", mock_get_settings)


def test_add_log_path_request_valid_in_var_log(_mock_allowed_dirs: None) -> None:
    """Valid log paths in /var/log are accepted."""
    req = AddLogPathRequest(log_path="/var/log/auth.log", tail=True)
    assert req.log_path == "/var/log/auth.log"
    assert req.tail is True


def test_add_log_path_request_valid_in_config_log(_mock_allowed_dirs: None) -> None:
    """Valid log paths in /config/log are accepted."""
    req = AddLogPathRequest(log_path="/config/log/app.log", tail=False)
    assert req.log_path == "/config/log/app.log"
    assert req.tail is False


def test_add_log_path_request_valid_with_subdirectory(_mock_allowed_dirs: None) -> None:
    """Log paths in subdirectories of allowed paths are accepted."""
    req = AddLogPathRequest(log_path="/var/log/syslog/auth.log", tail=True)
    assert req.log_path == "/var/log/syslog/auth.log"


def test_add_log_path_request_rejects_path_outside_allowed(_mock_allowed_dirs: None) -> None:
    """Paths outside allowed directories are rejected."""
    with pytest.raises(ValidationError) as exc_info:
        AddLogPathRequest(log_path="/etc/passwd", tail=True)
    error_msg = str(exc_info.value)
    assert "outside allowed directories" in error_msg
    assert "/etc/passwd" in error_msg


def test_add_log_path_request_rejects_home_directory(_mock_allowed_dirs: None) -> None:
    """Paths in home directories are rejected."""
    with pytest.raises(ValidationError) as exc_info:
        AddLogPathRequest(log_path="/home/user/app.log", tail=True)
    error_msg = str(exc_info.value)
    assert "outside allowed directories" in error_msg


def test_add_log_path_request_rejects_shadow_file(_mock_allowed_dirs: None) -> None:
    """Paths to sensitive files like /etc/shadow are rejected."""
    with pytest.raises(ValidationError) as exc_info:
        AddLogPathRequest(log_path="/etc/shadow", tail=True)
    error_msg = str(exc_info.value)
    assert "outside allowed directories" in error_msg


def test_add_log_path_request_rejects_symlink_escape(monkeypatch: pytest.MonkeyPatch) -> None:
    """Symlinks that escape allowed directories are rejected."""
    with tempfile.TemporaryDirectory() as tmpdir:
        allowed_dir = Path(tmpdir) / "allowed"
        escape_dir = Path(tmpdir) / "escape"
        allowed_dir.mkdir()
        escape_dir.mkdir()

        symlink = allowed_dir / "escape_link"
        symlink.symlink_to(escape_dir)

        def mock_get_settings() -> Settings:
            return Settings(
                database_path=":memory:",
                fail2ban_socket="/tmp/fake.sock",
                fail2ban_config_dir="/tmp/fail2ban",
                session_secret="test-secret-key-do-not-use",
                allowed_log_dirs=[str(allowed_dir)],
            )

        monkeypatch.setattr("app.models.config.get_settings", mock_get_settings)

        with pytest.raises(ValidationError) as exc_info:
            AddLogPathRequest(log_path=str(symlink / "evil.log"), tail=True)
        error_msg = str(exc_info.value)
        assert "outside allowed directories" in error_msg


def test_add_log_path_request_validates_startswith_bypass(_mock_allowed_dirs: None) -> None:
    """Paths like /var/log_evil that bypass startswith() are rejected."""
    with pytest.raises(ValidationError) as exc_info:
        AddLogPathRequest(log_path="/var/log_evil/somefile.log", tail=True)
    error_msg = str(exc_info.value)
    assert "outside allowed directories" in error_msg


def test_add_log_path_request_default_tail_is_true(_mock_allowed_dirs: None) -> None:
    """Tail defaults to True."""
    req = AddLogPathRequest(log_path="/var/log/app.log")
    assert req.tail is True


def test_add_log_path_request_error_message_lists_allowed_dirs(_mock_allowed_dirs: None) -> None:
    """Error message includes the list of allowed directories."""
    with pytest.raises(ValidationError) as exc_info:
        AddLogPathRequest(log_path="/root/secret.log", tail=True)
    error_msg = str(exc_info.value)
    assert "/var/log" in error_msg
    assert "/config/log" in error_msg


def test_add_log_path_request_custom_allowed_dirs(monkeypatch: pytest.MonkeyPatch) -> None:
    """Custom allowed directories from settings are respected."""
    def mock_get_settings() -> Settings:
        return Settings(
            database_path=":memory:",
            fail2ban_socket="/tmp/fake.sock",
            fail2ban_config_dir="/tmp/fail2ban",
            session_secret="test-secret-key-do-not-use",
            allowed_log_dirs=["/custom/logs", "/another/path"],
        )

    monkeypatch.setattr("app.models.config.get_settings", mock_get_settings)

    req = AddLogPathRequest(log_path="/custom/logs/app.log", tail=True)
    assert req.log_path == "/custom/logs/app.log"

    with pytest.raises(ValidationError):
        AddLogPathRequest(log_path="/var/log/app.log", tail=True)